﻿<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>AntiCSRF Demonstration Page</title>
    <link href="styles.css" rel="stylesheet" type="text/css" />
</head>
<body>
    <h1>AntiCSRF Demonstration Page</h1>
    <p>This page will enable you to test the functionality of the AntiCSRF module.</p>
    <ol>
        <li>Begin by entering a value into the <a href="#protected">Protected</a> test. This
            will throw an exception.<br />
            The exception indicates that you are missing the CSRF cookie that you would normally
            receive when loading a page containing a &lt;form runat="server"&gt; via a GET request
            and that the sample form does not contain a valid CSRF token.</li>
        <li>Next enter a value in the <a href="#unprotected">Unprotected</a> test. This will
            submit the form and display results.<br />
            At this point you do not have a CSRF cookie - this demonstrates that excluding a
            page by decorating it with the [Idunno.AntiCsrf.SuppressCsrfCheck] attribute works.</li>
        <li>Now try the second <a href="#interfaceUnprotected">Unprotected</a> test. This will
            submit the form and display results.<br />
            Again At this point you do not have a CSRF cookie - this demonstrates that excluding
            a page by having it implement the Idunno.AntiCsrf.ISuppressCsrfCheck interface works
            (this scenario is suitable for pages were code is embedded in the page rather than
            in a separate code behind class.</li>
        <li>Finally <a href="#getRequest">browse</a> to the initial protected page via a GET
            request. This will display a new test form. As the request is a GET request CSRF
            checking is not performed and the CSRF token and cookie are generated. From this
            point onwards you will be able to submit the test page as it contains a token and
            you have a matching cookie.</li>
    </ol>
    <p>
        As an additional test you may want to mimic what would happen if an attacker attempt
        to submit to your application from their web site.</p>
    <ol>
        <li>Load the <a href="#getRequest">Test Form via a GET</a> view the source of the form
            and save it to your desktop.</li>
        <li>Open the saved .html file in an editor and change the action parameter in the form
            to point to the form hosted within VS (http://localhost:4646/protectedPage).</li>
        <li>Now close your browser.</li>
        <li>Right click on default.aspx in Visual Studio and choose "View In Browser" but do
            not do any of the tests on this page. You will no longer have any CSRF cookies.</li>
        <li>Double click the locally saved HTML file. You will note that the URL in the browser
            is a local one, file://..., just imaging this is http://badsite.example. Fill in
            a value in the <a href="#protected">protected test</a> and submit it. An exception
            is thrown indicating you have no CSRF cookie.</li>
        <li>Now in the browser tab that refers to http://localhost/ scroll down and <a href="#getRequest">
            load the protected page via a GET request</a>. You will now have a CSRF cookie,
            but it will be different to the value the potential attacker has.</li>
        <li>Return to the tab containing your file:// local copy of this page and try to submit
            to the protected page again. You will see that despite having a CSRF cookie an exception
            still occurs because your cookie and the token value on the exploit page are different.</li>
    </ol>
    
    <h2>Further Information</h2>
    <ul>
        <li><a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF on Wikipedia</a></li>
        <li><a href="http://www.cgisecurity.com/csrf-faq.html">The CSRF FAQ</a></li>
        <li><a href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery">OWASP CSRF Page</a></li>
    </ul>
    
    <h2>Test forms:</h2>
    <div id="tests">
        <form id="protected" action="protectedPage.aspx" method="post">
        <fieldset>
            <legend>Test a Protected Page</legend>
            <div>
                <input name="TextBox1" />
                <input type="submit" value="Test" /></div>
            <div><em>This will throw an exception, this is to be expected.</em></div>
        </fieldset>
        </form>
        <form id="unprotected" action="unprotectedPage.aspx" method="post">
        <fieldset>
            <legend>Test an unprotected page</legend>
            <div>
                <input name="TextBox1" />
                <input type="submit" value="Test" /></div>
        </fieldset>
        </form>
        <form id="interfaceUnprotected" action="unprotectedPageInterfaceExcluded.aspx" method="post">
        <fieldset>
            <legend>Test an unprotected page (using Interface based exclusion)</legend>
            <input name="TextBox1" />
            <input type="submit" value="Test" />
        </fieldset>
        </form>
        <form id="getRequest" action="#">
        <fieldset>
            <legend>Load the protected page normally via a GET.</legend>
            <p>
                <a href="protectedPage.aspx">Load protected page via GET.</a></p>
        </fieldset>
        </form>
    </div>
</body>
</html>
